1. They do not know the posters' IP - which can be anything. For example, I am posting this from my work place, with traffic filtered via Netherlands and England etc. And only some 300,000 workers worldwide... uh oh.
2. They do not know where they live, who they are or what their bank is.
3. They do not know the account or the password itself.
4. Usually bank account include an extra in identification, like PIN, ID etc.
5. Localized languages and interfaces.

1. They do not know the posters' IP - which can be anything. For example, I am posting this from my work place, with traffic filtered via Netherlands and England etc. And only some 300,000 workers worldwide... uh oh.
2. They do not know where they live, who they are or what their bank is.
3. They do not know the account or the password itself.
4. Usually bank account include an extra in identification, like PIN, ID etc.
5. Localized languages and interfaces.

Mrk

Click to expand...

Here in sweden the bank that I use have been attacked several times by phishing. They made a fake site so they could get the one time only codes the bank use.
As a customer you have a option to buy a card reader ($15) and log in with your bank card (and a certificate issued by the bank) or you can use one time only codes issued by the bank.
But not many has bought the card reader and it is some of those that has made them selves victims by clicking on a link that goes to the fake site. It was amazing that people fell for it because the spelling in the mail (saying "you have to log in to your account because of whatever") was really bad, made by some low budget translation software.
I believe the bad guys who did this was in Russia, Ukraine or some other former soviet state.
And some attacks where done by some kind of trojans so the bank gave every customer a free AV (Norman Virus Control)

Good for me, I got me a free AV, but the easiest and wisest thing would´ve been to give everyone a card reader and dump the codes.

Mrkvonic, I'm glad you pointed that out. Even if you were to identify your username and the bank where you have a 6-character password I'm not sure that would greatly increase your chances of being hacked!

What are some likely ways someone would steal from your account?

1. By installing a keylogger on your computer.
2. By searching your hard drive for account details.
3. You used the same or a similar password elsewhere.
4. By phishing (e-mail, snail mail, phone)
5. By abusing your trust (partner, family).
6. By abusing their power as a bank employee.
7. By stealing your debit card details after you use it online.
8. By stealing your debit card.
9. By eavesdropping (e-mail, snail mail, phone)

An online password cracking attempt seems unlikely. Even a 6-character alphanumeric password has 56,800,235,584 possibilities, and most banks will lock out your account if there are many failed password attempts.

What if someone trusted by the bank stole the password hashes? Because of this possibility, I use 10+ characters for passwords on any site that has access to my monies. A 6-character alphanumeric password can be brute-force cracked in under an hour with a good laptop and faster with a concerted attack. Why expose yourself to such threats when you don't have to?

I like RoboForm2Go because it protects you from keyloggers and phishing, and makes it easy to use a maximum-length password. Of course, common sense plays a big role, too! Since I'm not an expert at this, I'm really curious what others think about securing their online bank accounts.

An analysis report by Kaspersky Labs on keyloggers has this introduction, which is a timely warning for us all to be vigilant and be aware of what we are doing on the 'net:

In February 2005, Joe Lopez, a businessman from Florida, filed a suit against Bank of America after unknown hackers stole $90,000 from his Bank of America account. The money had been transferred to Latvia.

An investigation showed that Mr. Lopez’s computer was infected with a malicious program, Backdoor.Coreflood, which records every keystroke and sends this information to malicious users via the Internet. This is how the hackers got hold of Joe Lopez’s user name and password, since Mr. Lopez often used the Internet to manage his Bank of America account.

However the court did not rule in favor of the plaintiff, saying that Mr. Lopez had neglected to take basic precautions when managing his bank account on the Internet: a signature for the malicious code that was found on his system had been added to nearly all antivirus product databases back in 2003.

Joe Lopez’s losses were caused by a combination of overall carelessness and an ordinary keylogging program.